<html>
<head>
<title>SRP: What does it do?</title>
</head>
<body fgcolor="#000000" bgcolor="#FFFFFF">
<h1>What does SRP do?</h1>
First and foremost, SRP is a strong password authentication protocol.
It was designed as a solution to the age-old problem of deploying
logins and passwords in a distributed system across networks that
may be monitored or compromised by adversaries.
While the strongest version of SRP, known as SRP-3, performs
very well in such a role, it is also versatile enough to serve
in other capacities, namely as a
<a href="#ZK">zero-knowledge identification</a>
protocol and as an efficient
<a href="#AKE">asymmetric key-exchange</a> protocol.
<h2>Password Authentication</h2>
SRP addresses a fairly specific class of hard password authentication
problems, namely that of authenticating a network user to a server
host, both of which reside on a network susceptible to both passive
and active attacks and subject to the following constraints:
<ul>
<li>No third party is involved in the authentication process.
<li>The system is <i>password-only</i>, which means that the user
    uses only a memorized password for authentication.  No keyfiles
    or other persistent forms of secure storage are used on the client
    side.
</ul>
This particular brand of authentication has a surprisingly large
number of applications in the real world, including but not limited
to:
<ul>
<li>Authentication of remote logins to multiuser systems.
    A good example is the <code>telnet</code> program found on
    Unix systems.
<li>User-based access controls on Web sites.
<li>Authentication for X-terminals or Network Computers (NCs).
<li>Network service authentication on LANs, e.g. Novell NetWare.
<li>Public telephones, cellular telephones, ATMs, or set-top boxes.
</ul>
In general, such authentication technology applies to any situation
where a client is used by more than one person or where physical
constraints prevent secure long-term storage of private key information.
In addition, even when client-side storage is possible (e.g. on personal
workstations or PCs), avoiding it and using passwords is advantageous
because they are inherently portable and difficult to steal.
<a name="ZK"><h2>Zero-Knowledge Identification</h2></a>
SRP has also attracted attention from academic circles because it
has properties of a classical zero-knowledge (ZK) identification
protocol.
A two-party ZK protocol has two parties, the <i>prover</i>, who
knows a secret, and a <i>verifier</i>, who must be convinced that
the prover knows the secret.
The three distinguishing characteristics of such a protocol are:
<ul>
<li>The verifier does not possess the prover's secret, but still
has enough information to tell if the prover really knows the secret.
<li>The prover does not reveal the secret to the verifier while
negotiating the protocol.
In fact, no information at all about the secret is communicated to
the verifier other than the fact that the prover knows it.
<li>The prover cannot convince the verifier and successfully negotiate
the protocol without knowing the secret.
</ul>
As it turns out, the user's password and host's verifier in SRP
correspond exactly to the private secret and public verifier in a
ZK protocol.
It is easy to prove that SRP satisfies the first two criteria,
and it is believed that SRP-3 also satisfies the third.
<p>
Zero-knowledge protocols are highly desirable as authentication
protocols because they do not leak information about the password
even to a legitimate host, which provides protection against both
passive snooping and active host impersonation.
A user does not have to worry about accidentally revealing a
password to someone spoofing the network, because the user's
client software does not send out any information to anyone
that could be used to recover the password.
This was always a risk for systems that tried to set up an
encrypted session and then sent the password under that channel.
<a name="AKE"><h2>Asymmetric Key Exchange</h2></a>
SRP also falls into the broad category of <i>asymmetric key exchange</i>
protocols.
These are broadly defined as protocols which perform secure key exchange
but do not require both parties to share secrets beforehand.
Instead, either or both parties has a private key whose public key
is held by the other party.
If the protocol performs secure authentication of one or more of the
parties, it is an <i>authenticated</i> asymmetric key exchange protocol.
<p>
There are a few such protocols in existence, but all of them require
more computation than a conventional symmetric (shared-secret)
key exchange protocol.
SRP-3 provides a fast authenticated asymmetric key exchange without
increasing the computational requirements of the protocol.
Unlike most asymmetric protocols, it can function securely even if only
one party has a public key set in advance.
As an added bonus, it protects the long-term secrets (private keys)
from brute force attack.
Viewed in this context, SRP-3 is the fastest authenticated asymmetric key
exchange protocol, and its security is on par with the best in
this class.
<p>
<hr>
<a href="index.html">Back</a>
</body>
</html>